Vulnerability Details CVE-2025-54072
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 34.7%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2025-54072
-
cpe:2.3:a:yt-dlp_project:yt-dlp:-
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.12
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.14
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.16
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.20
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.29
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.15
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.19
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.03.2
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.15
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.24.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.04.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.04.11
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.04.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.05.11
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.05.20
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.23
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.07.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.07.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.07.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.08.02
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.08.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.09.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.09.02
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.09.25
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.10.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.10.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.10.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.11.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.11.10.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.12.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.12.25
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.12.27
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.01.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.02.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.02.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.03.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.03.08.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.04.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.05.18
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.06.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.06.22.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.06.29
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.07.18
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.14
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.18.36
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.19
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.09.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.10.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.11.11
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.01.02
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.01.06
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.02.17
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.03.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.03.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.06.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.06.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.07.06
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.09.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.10.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.10.13
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.11.14
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.11.16